Microsoft issues fix for XML flaw targeted in zero-day attacks

By Kevin McCaney

Jul 11, 2012

Microsoft’s latest Patch Tuesday update includes a partial fix for a vulnerability in XML Core Services that is being actively exploited in zero-day attacks.

That vulnerability, the subject of one of three “critical” fixes among the 16 the company issued, has been identified in attacks in Europe and against the aerospace industry since Microsoft first warned of the flaw June 12. The exploit is spread through phishing attacks and allows remote code execution if users are lured to a malicious website run by the attackers.

The vulnerability exists in versions 3.0, 4.0, 5.0 and 6.0 of XML Core Services and affects Internet Explorer in all supported versions of Windows -- XP, Vista, Windows 7 and Windows Server 2008 -- as well as all versions of Office 2003 and 2007.

The fix issued Tuesday covers versions 3.0, 4.0 and 6.0 but not 5.0, which security experts said they expect to be delivered later. To date, the exploits have occurred in version 3.0, Andrew Storms, director of security operations at nCircle, told eWeek.

The other two critical fixes also address vulnerabilities that could allow remote code execution, although no exploits of them have been reported. One of the vulnerabilities is in Internet Explorer 9, the other in Microsoft Data Access Components.

The flaw in XML Core Services, also known as MSXML, was reported to Microsoft by Google on May 30, and the two companies began working on it together. Google shortly after launched a service that would warn its users if they were possible victims of state-sponsored attacks, a move reportedly in response to MSXML exploits.

When Microsoft issued its June 12 warning, the company said the vulnerability was being exploited but didn’t offer specifics. Security company Sophos later said it was exploited in recent attacks against an aeronautical parts supplier and a medical company, both in Europe. And in early July, Alienvault Labs reported finding the exploit being used with a new variant of the Sykipot Trojan in attacks targeting the aerospace industry and others.

Microsoft had directed users to a Fix-it workaround for mitigating the vulnerability but had not until now worked up an automated fix.